Fix XSS issue by not using URI.join

5bf22606 · Douwe Maan · 27f2ca94 · 5bf22606
隐藏空白更改
内联并排

Showing with 1 addition and 2 deletion

app/models/environment.rb app/models/environment.rb +1 -2

未找到文件。
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -185,8 +185,7 @@ class Environment < ActiveRecord::Base
    public_path = project.public_path_for_source_path(path, commit_sha)
    return unless public_path

-    # TODO: Verify this can't be used for XSS
-    URI.join(external_url, public_path).to_s
+    [external_url, public_path].join('/')
  end

  private